If the certifying authority's key is lost or destroyed but not
compromised, certificates signed with the old key are still valid, as
long as the verifier knows to use the old public key to verify the
certificate.

In some CSU designs, encrypted backup copies of the CA's private key
are kept. A CA which loses its key can then restore it by loading the
encrypted backup into the CSU, which can decrypt it using some unique
information stored inside the CSU; the encrypted backup can only be
decrypted using the CSU. If the CSU itself is destroyed, the
manufacturer may be able to supply another with the same internal
information, thus allowing recovery of the key.

A compromised CA key is a much more dangerous situation. An attacker who
discovers a certifying authority's private key can issue phony certificates
in the name of the certifying authority, which would enable undetectable
forgeries; for this reason, all precautions must be taken to prevent
compromise, including those outlined in Questions 3.3.8 and
3.3.9. If a compromise does occur, the CA must immediately cease
issuing certificates under its old key and change to a new key. If it is
suspected that some phony certificates were issued, all certificates should
be recalled, and then reissued with a new CA key. These measures could be
relaxed somewhat if certificates were registered with a digital
time-stamping service (see Question 3.3.18). Note that compromise of
a CA key does not invalidate users' eys, but only the certificates that
authenticate them. Compromise of a top-level CA's key should be considered
catastrophic, since the key may be built into applications that verify
certificates.